What does GDPR really mean for your business and the tools you use?
GDPR — The General Data Protection Regulation is coming into effect on 25 May, 2018, is forcing businesses to take note of how they store, collect and transmit personal data. While there’s a lot of information out there about the steps that companies need to take to be compliant, we wanted to come at it from another, often overlooked angle: what impact GDPR has on the tools that you use to get your job done.
Whether you use cloud storage, task management tools or online communication channels, you’re almost certainly moving information around on a variety of platforms over the course of any given day. This means that it’s very likely that you need to change the way that you do things in order to comply with GDPR — and we’ll explain exactly how in this guide.
What is GDPR and why does it matter?
In recent years there’s been an explosion in the amount of data that businesses are able to collect on their customers. GDPR, issued by the EU, aims to meet a growing public demand for increased visibility and control over this information, giving consumers access to and control over it on a personal basis. The legislation covers personal details that identify or could identify a given individual, such as name, identification numbers, location data and other digital identifiers; while details considered to be particularly sensitive include a person’s ethnicity, politics, religion, genetic details, health and sexuality.
The law affects all companies, from sole traders to multi-nationals, that have customers or employees in the EU and — take note — infractions can be met with fines of up to €20m or 4% of global annual turnover, whichever is higher. And if you’re hoping that Brexit may be a get-out-of-jail-free card, think again: the law will come into force almost a year before the UK leaves the EU; EU citizens and staff will still be covered, whatever happens; and the UK is likely to ultimately stick with the law anyway.
Consumer rights
GDPR gives consumers the right to ask
- What information a business has on them and what they’re doing with it.
- To change and remove their information or to ask for it not to be used.
- To move their data from one provider to another.
So, what do you have to do?
Where you collect customer information, it must only be for legitimate purposes that are explicitly specified to the customer, and should not extend beyond use.
- If you are no longer using the data for the purpose for which it was obtained, then the data should be deleted.
- It should be accurate and kept up to date, and inaccurate data should be removed.
- Data should be stored and communicated securely (and you’re legally responsible for breaches).
- And you should be able to explain what you have, why and who is responsible for it.
This means, for example, that if you want to send out an email newsletter then customers have to opt in and with the expectation that they will receive communications from you. If you want to do anything very different with the information then you need to get their permission.
Complying with these requirements could mean some pretty big changes for how you go about things — and perhaps nowhere more so than when looking at the tools that you use on a day-to-day basis, including everything from cloud storage and browser-based task management tools to WhatsApp, Skype and email.
How do you store information?
A primary requirement of GDPR is knowing what information you have, where and why — and to achieve compliance you really need to de-duplicate and consolidate your records into a single data store. After all, if data sets are copied all over your system then explaining exactly what you have, or removing it, is going to be extremely difficult to achieve. For a smaller business, the solution may be to consolidate documentation into a single location in Dropbox or Google Drive, or, for a more scalable solution, to use a CRM such as Salesforce. It’s then best to pull information, whenever it’s needed, from this same dataset rather than replicating the information elsewhere. In the event that the customer requests their information be removed from the system you can then simply delete a line in a spreadsheet or an entry in your CRM.
GDPR also means minimising the amount of data that you collect and ensuring that there is a stated purpose for the collection of the information (and that the user consents to this). Acquiring data cleansing services is also a good idea and will help to ensure that you have a clean database, eradicating duplicated and inaccurate entries.
Larger businesses have a substantial challenge on their hands just identifying all the points at which they are collecting customer information (including via agencies and other third-parties); for smaller businesses, the process is likely to be relatively simple and is primarily about bringing all existing records into one place.
On a technical level, your system may also be automatically backed up to minimise the potential for data loss in the event of a disaster. The key thing here is simply that the backups are purged after a reasonable period of time to promptly eject any personal data that is no longer relevant or that needs to be removed from the system.
How do you communicate information?
It should be remembered that whenever digital information is communicated in written form it leaves a digital trail, often meaning that a copy is created. As part of the shift towards minimal data handling, best practice is to centralise storage and only call it up when it is needed. If colleagues request information then, rather than sending it straight to them, direct them to where it is stored (indeed, strict interpretations of compliance would interpret any communication as a processing of information, requiring explicit permission). If a contract is needed, meanwhile, keep it in a central file and refer to this; and if a task management log requires customer information, keep it to a minimum and consider deleting the information when the task is complete.
It’s also worth keeping in mind that compliance is more about driving culture, rather than issuing diktats for every new app and channel. As long as a mindset is in place that personal information is stored centrally, kept securely and communicated minimally, then you should be able to make a case that you’re doing everything you can to be compliant.
How do you secure information?
Centralising your data storage will give you a headstart with securing it — it’ll be far easier to definitively secure one platform rather than many, after all. The next step is to ensure security basics — make sure that staff are accessing the system with strong passwords (likely via a password manager) and that they’re regularly changing them; make sure that the system is patched and up to date; and, wherever possible, encrypt and password protect information and communication channels. This goes for all software and tools being used on a business basis, but particularly for your core data store. Enterprise businesses, meanwhile, are likely to be investing in Chief Information Security Officers, if they don’t have them already, to ensure robust security across their platforms (and particularly so in the wake of breaches like those that hit Yahoo! and Equifax).
Conclusion
Complying with GDPR may seem like a chore, but in many respects the law simply demands effective, thorough data management. After all, being able to communicate what information you hold and why (and being able to unsubscribe customers who don’t want to receive communications) can only be a good thing at the end of the day, illustrating corporate responsibility and boosting your customers’ confidence in your business.
